Hackers leave PS3 security in tatters •
Page 2

Recently, hackers have been able to reverse-engineer PS3 firmware updates by decrypting the contents using currently available exploits. But once the code had been decrypted, they could never re-encrypt it and pack it into the format the PS3 requires to install an updated system software. The secrets of the console could be revealed, but no changes could ever be made to the console. Custom firmware was impossible, and the console effectively remained secure.

Now all bets are off. Modules within the firmware can be patched, re-signed and repacked into an update file that any PS3 – jailbroken or not – can read. The patches made by the PSJailbreak USB dongles could be hard-coded into custom firmware, meaning dongle-less piracy that encompasses current and future firmwares. In effect, the PlayStation 3 is now the most vulnerable console on the market, even more exposed to hackers than the Wii and Xbox 360.

So what can Sony do? It can easily move on to new keys that do indeed use the random number element correctly, and these keys cannot be easily reversed. However, it cannot revoke the keys already used without invalidating every game and every piece of DLC released to date – and while those compromised keys remain valid, so does everything else signed by the hackers. Just about the only option available is to create a mammoth "white list" of executable code encompassing every single game and DLC patch released in the last four years and then blacklist anything else using the current keys.

However, the scale of this task is monumental – and ultimately pointless – as the Fail0verflow team have already demonstrated that revocation lists in the PS3 can be patched and that there is complete access to the system throughout its now-broken "chain of trust". New loaders using the new keys can simply be patched to accept the revoked older keys too. Making matters worse for Sony is the fact that the "master keys" for the PS3's initial bootloader – which can never be revoked and only changed with revised hardware – were uploaded onto the internet last night by iPhone hacker George Hotz (aka Geohot), using an exploit unknown even to the Fail0verflow team. This is system access at the very root of the system, a "master key" to the whole architecture.

Most – if not all – PS3 titles out now were created with Sony tools that pre-date the 3.41 firmware exploited by PSJailbreak. Sony locked out the pirates from titles like Gran Turismo 5 and Need for Speed: Hot Pursuit by introducing new encryption not found in the older firmwares. The new hack means that these titles will now be vulnerable to piracy.

At the time of writing, the Fail0verflow team have only just released their tools, but the methodology the team released has already brought about rapid progress in completely unlocking the PlayStation 3's internal workings. The principles behind making updates that can be unpacked, decrypted, patched, re-encrypted and recompiled into PUP files just like Sony's own firmware are right out there in the open, meaning that there's a good chance that a firmware 3.55 Jailbreak will be available very soon.

In the meantime, it must surely be panic stations at Sony and there must be some degree of introspection at the platform holder's HQ about why this has happened. The fundamental flaws in PS3's security model should have been exposed years ago – piracy is after all a big business in its own right. It's no mistake that PSJailbreak only appeared after Geohot publicly released his original hack – it was the toolkit that pirates required in order to understood how the system worked (though rumours persist that Hotz himself was in some way responsible for the Jailbreak, a technologically ingenious exploit he probably would have been very proud to uncover).

The Fail0verflow team says that hackers do the hard work in compromising a system to run Linux and homebrew code, while the pirates exploit that for their own ends. They suggest that the pirates themselves lack the skill to come up with the exploits, and that the PS3 was left unmolested for so long because Sony gave paying customers a way to run their own code on the system. In short, the real hackers weren't interested in opening up a system that was already open enough.

Fail0verflow says that removing OtherOS first from the Slim, and then from the original "fat" PlayStation 3 was the catalyst that brought this hack about and their own presentation tacitly acknowledges that piracy will be an inevitable consequence. As this article is being written, previously pirate-proof firmware 3.50 PS3 titles are being decrypted and re-packed for the existing firmware 3.41 Jailbreak - a stopgap solution for piracy until full-on custom firmware appears.

"There is absolutely no doubt in our mind that the PS3 lasted as much as it did due to OtherOS. The security really is terribly broken," the team posted on their Twitter page.

The battle between users wanting the right to run their own code on their own hardware, up against platform holders who want to rigidly retain those rights for themselves looks set to rage on well into the foreseeable future. Fail0verflow suggests that OtherOS/PS3 Linux was a compromise that kept most parties happy and piracy at bay, but the technical ingenuity of the PSJailbreak suggests that sooner or later, copied software will always become a problem for any console platform holder.